BYOD's legal minefield

CIOs need to be ready for the legal dilemmas of a bring-your-own-device policy

Alistair Maughan is a partner in the law firm Morrison & Foerster's London office. He leads the firm's UK outsourcing team and is co-chair of the firm-wide Technology Transactions Group. Maughan focuses on outsourcing and technology-based projects for major companies and public sector organisations.

April 23, 2012

CIO
Share

Twitter

Facebook

LinkedIn

Google Plus

Share

Twitter

Facebook

LinkedIn

Google Plus

One of the key trends affecting CIOs' priorities at the moment is the proliferation of personal IT devices used for business purposes.

Many business users now have better access to technology at home than they do at work, so the pressure is increasing on IT departments to support the use of personal devices for work purposes.

The iPhone leads the way, although other Android-based smartphones, Windows laptops and the iPad are not far behind.

This trend leads to considerably more complexity for IT departments to manage but CIOs also need to grapple with the legal and regulatory issues raised by the use of personal devices for work purposes.

These include the possible loss or theft of enterprise data, software licensing implications, the potential loss of intellectual property, the impact on HR laws and difficulties meeting compliance requirements.

As a result, many organisations have specific policies designed to cope with the move towards a bring-your-own-device (BYOD) system of technology provision.

Data issues: The most obvious legal concern stems from the challenge of ensuring data security on non-company equipment, which primarily arises from it being harder to keep track of where data may actually be and the difficulty of policing the use of personal devices.

Companies need to grapple with scenarios such as what happens if an employee puts corporate data into a non-corporate supported location like Dropbox or stores data on a device which is also used by their family.

If there's a security breach, what's the appropriate corporate response? Is it really practical to take the position that corporate data cannot be stored on personal devices?

Most countries have laws which require organisations to ensure against the implications of losing sensitive data.

This becomes significantly harder if the device on which that data is stored is not owned by the enterprise itself.

Most organisations employ encryption as standard and deploy remote-wipe capability, but the challenges of the data privacy implications of a BYOD world are not to be underestimated.

Many organisations understand that users, and the content they generate and consume, vary in the level of information sensitivity.

Licensing and intellectual property: The licensing implications of a consumerisation strategy are often overlooked.

Companies may forget to check the scope of software licences within the enterprise when employees use their own mobile devices or laptops to access a virtual desktop, either from home or in the office.

In practice, it may be that details such as the product, where it's used and by whom, can all affect the issue of whether the product is being used outside the permitted licence terms.

Compliance:A major risk for any enterprise that allows non-standard devices in the workplace is how to ensure and demonstrate regulatory compliance.

This is a particular challenge for regulated industries such as healthcare, pharmaceuticals and financial services.

But there are other laws, such as the US Sarbanes-Oxley Act (which imposes an onus on public companies to closely monitor financial and accounting activities) where compliance becomes harder as the population of IT devices in use becomes more diverse.

In considering regulatory compliance, several key issues should be asked. These include where the data is stored, what the implications of that storage are and what happens if a device is lost or stolen.

HR law: Another area of concern falls between two stakeholder groups within an enterprise: the CIO and the HR director.

Many of the issues brought up by the consumerisation of IT involve compliance with existing HR law.

So for example, how do you deal with data and company property stored on personal devices on termination of employment? What are the implications for work-life balance?

Across most of the EU there is a 48-hour limit on a working week, but how does that apply when studies show that 66 per cent of people send emails seven days a week and expect a response the same day, and 61 per cent even check email while on holiday?

Organisations need to ensure that their policies and strategies reflect their chosen route to consumerisation. This usually requires collaboration beyond the IT and data security sphere to include legal, HR and finance considerations.